23 NYCRR 500 NYS DFS Cybersecurity Compliance

The New York Department of Financial Services (DFS) has formally announced that directive 23 NYCRR 500 is now in effect, as of March 1.

The document is also known by its formal title, “Cyber Security Requirements for Financial Services Companies”, and is comprised of a set of regulations which are intended to establish minimum regulatory standards, to encourage the establishment and continued development of cyber security programs for financial companies.

All Agencies at Minimum Will Need to Have The Following Elements

Establish a Cybersecurity program

Implement policies & procedures to secure non-public information

Limit access privileges to non-public information and review it regularly

Conduct Risk Assessments at least once a year or whenever a process has changed or introducing new system

Third Party Service Provider Security Policy

Limitation on Data Retention for disposal of nonpublic information stored in hard drives and other devices